djvu | cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

Sharing

Copy URL

Twitter E-mail

General

Target

cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681
Size

9.0MB
Sample

241105-j22chsyclr
MD5

65db9d146bda563ec5749ec53091b2aa
SHA1

220b5f4edfb7310ed96020cdbac22f13911304ab
SHA256

cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681
SHA512

ddd8cc9178b2f5605d28dc6110bb23ba56209677c29089ee8977b11333ed677be8439183c1181f2d75b5ac97357aecf6d7fcc50748ac724e79ffd5f3a7aa46b3
SSDEEP

196608:1OUwPDysgxilKFrSyj9yEwC9CSApC53wbTCwlN2xoWTrjFexDfRFy:dwPFgGKFmrLC9CSAA53mux/Trjr

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Extracted

Family

vidar

Version

34.5

Botnet

517

http://newcoldstart.com/

Attributes

profile_id
517

Extracted

Family

djvu

http://qpao.top/nddddhsspen6/get.php

Attributes

extension
.lisp
offline_id
OERd2J7H77Gx6pSuT1wDtZ44ScPhj765hrrFkKt1
payload_url
http://qpao.top/files/penelop/updatewin1.exe

http://qpao.top/files/penelop/updatewin2.exe

http://qpao.top/files/penelop/updatewin.exe

http://qpao.top/files/penelop/3.exe

http://qpao.top/files/penelop/4.exe

http://qpao.top/files/penelop/5.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-jydQMZP2Ie Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0267Orjk

rsa_pubkey.plain

Extracted

Family

redline

Botnet

Btc_YeaR

86.105.252.12:35200

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Botnet

2010

Extracted

Family

matanbuchus

http://gw397iwauwsf.top/Plugin.triumphdrop

Targets

- Target
  
  0x000100000001ab86-55.exe
- Size
  
  262KB
- MD5
  
  e2e9483568dc53f68be0b80c34fe27fb
- SHA1
  
  8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9
- SHA256
  
  205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37
- SHA512
  
  b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e
- SSDEEP
  
  6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  0x000100000001ab87-47.exe
- Size
  
  71KB
- MD5
  
  f0372ff8a6148498b19e04203dbb9e69
- SHA1
  
  27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
- SHA256
  
  298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
- SHA512
  
  65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
- SSDEEP
  
  1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  0x000100000001ab9c-70.exe
- Size
  
  977KB
- MD5
  
  5c6684e8c2b678de9e2776c6b50ddd72
- SHA1
  
  7d255100d811de745e6ee908d1e0f8ba4ff21add
- SHA256
  
  bb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc
- SHA512
  
  f627ca67610f9d5c137bdae8b3f8f6c08ff9162d12b3e30d3886c72aec047d34e31b5f0e17120dc99d71b0c316e43bb946fc5d40a9babec7229ce3a3c9292acb
- SSDEEP
  
  24576:AyImjLox0UGnen302pqa5ugHd+XfyvS+x8eoSg1vpADsF:Ayju0U8e302pcgHd+X66+twvpr
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral5 behavioral6
- Target
  
  0x000100000001ad02-313.exe
- Size
  
  620KB
- MD5
  
  7f1c0fe70e588f3bead08b64910b455e
- SHA1
  
  b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
- SHA256
  
  4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
- SHA512
  
  e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84
- SSDEEP
  
  6144:LX1GLRsinbsICg9P078ralzUxCNhtlmvJG3fPh01/mMPtNmGlOuX3MR3t8/DPVQU:pGFs9ga1U0Nht6J/Dm4ZMRdUL24OFu
Score

7^/10

discovery
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  0x000200000001aca8-173.exe
- Size
  
  61KB
- MD5
  
  a6279ec92ff948760ce53bba817d6a77
- SHA1
  
  5345505e12f9e4c6d569a226d50e71b5a572dce2
- SHA256
  
  8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
- SHA512
  
  213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
- SSDEEP
  
  1536:kFqVH99TlY1Gsae6hiQ0OghNUenX7snouy8/JVz5:79TlY1Gsae6hKhNUaX7sout/JJ5
Score

9^/10

discovery upx
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  0x000200000001acb5-183.exe
- Size
  
  10.2MB
- MD5
  
  6b32791ddadc54b2e770a881eb83c260
- SHA1
  
  d5815c8b204c47ebbb9f91c4f66e459e14136a32
- SHA256
  
  23cb1064049da1e64c231cacee9908d9c1aed6a57b786740361d206d14bd2973
- SHA512
  
  3a7334533bbcf4b1ad5b6200a9ef4c319a72ea06659e42c9b857e8e02c9115b04e63a61fb892f475456d53b907a7b7fe7fafb09d9e66cfc51481c2f170ac86fb
- SSDEEP
  
  3072:a4Ni29XsrLu6i5lJBq5pbNSwHSLlkEfr6c46GCMjjjjjjjjo:rj8rLu6qPqvb8wyLlnfGc46GCM
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  0x000200000001acdf-236.exe
- Size
  
  274KB
- MD5
  
  996ba35165bb62473d2a6743a5200d45
- SHA1
  
  52169b0b5cce95c6905873b8d12a759c234bd2e0
- SHA256
  
  5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
- SHA512
  
  2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634
- SSDEEP
  
  6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf
Score

8^/10

discovery
- Drops file in Drivers directory
behavioral13 behavioral14
- Target
  
  0x000200000001ace9-240.exe
- Size
  
  602KB
- MD5
  
  637a8b78f4985a7807c6cdb238df4534
- SHA1
  
  01c47b02ec8b83a0a29590c2512c844318af8710
- SHA256
  
  87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95
- SHA512
  
  0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682
- SSDEEP
  
  12288:M2qOnejvPJB7fwT8RHQHqdbnW2nQ0btJ2L:M2UUT8mIWs5btkL
Score

10^/10

vidar 517 discovery spyware stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vidar Stealer
  stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  0x000300000001a5a2-209.exe
- Size
  
  842KB
- MD5
  
  185749ffbb860d3e5b705b557d819702
- SHA1
  
  f09470a934d381cfc4e1504193eb58139061a645
- SHA256
  
  1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa
- SHA512
  
  0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5
- SSDEEP
  
  12288:s0mYwwrmPZtPdjyWMzVeB68ebdT7Qs0/9mlv6EHqRjgE7EysTaHbyD8:srEmbdeWMhec84TMb1eHGjgEwys2N
Score

10^/10

djvu discovery persistence ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Djvu family
  djvu
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18
- Target
  
  0x000300000001ac90-122.exe
- Size
  
  411KB
- MD5
  
  ceec23bdfaa35e0eeee0bb318f9d339f
- SHA1
  
  69337754824f165accef920ec90d25aae72da9ca
- SHA256
  
  e6ba7316c20de986784a205b13617c3c13ce4daa628a26d0c2d4bbf0fe7a21c6
- SHA512
  
  7d401409ab447ebbcd1412e192815a8f257e4fb947feb5f69834e4a97efa7031b4ff1fcd5f1d97277a465a96b12c78ef6ae79795e416cb14f4beb3dfa0bc6e47
- SSDEEP
  
  6144:2Y3GLOIYJuOA2g4JH6+YrtH7XHthkVQS+RY3rFBCEGCM:f3GKIhOAOd6+YFzHthk+S+O
Score

10^/10

redline btc_year discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
behavioral19 behavioral20
- Target
  
  0x000300000001ac99-126.exe
- Size
  
  300KB
- MD5
  
  ca58d4cf4a5e0725f844c8eae3f8ae67
- SHA1
  
  fbce92619ce23f4594846f2f789e513dab9f3239
- SHA256
  
  0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054
- SHA512
  
  32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9
- SSDEEP
  
  3072:qCQZiIdWYqLrMS5l0uAScmbcucv4Y8ngIw1MluGCMjjjjjjjjo:CRxqLrMa0EcmrchcTgGCM
Score

10^/10

smokeloader pub1 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  0x000300000001ac9e-134.exe
- Size
  
  311KB
- MD5
  
  fdde60834af109d71f4c7d28b865c8a1
- SHA1
  
  4f721105161b74e07b5ccd762d32932989bfb03a
- SHA256
  
  b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
- SHA512
  
  fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
- SSDEEP
  
  3072:eYtiwgUsQLaKw5lD5G53Nwu9YMqpyqvymEVKsEwjGCMjjjjjjjjo:vELQLaKEtG594MqpyqvyFXGCM
Score

10^/10

smokeloader 2010 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  0x000300000001ac9e-206.exe
- Size
  
  311KB
- MD5
  
  fdde60834af109d71f4c7d28b865c8a1
- SHA1
  
  4f721105161b74e07b5ccd762d32932989bfb03a
- SHA256
  
  b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
- SHA512
  
  fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778
- SSDEEP
  
  3072:eYtiwgUsQLaKw5lD5G53Nwu9YMqpyqvymEVKsEwjGCMjjjjjjjjo:vELQLaKEtG594MqpyqvyFXGCM
Score

10^/10

smokeloader 2010 backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  0x000300000001ac9f-141.exe
- Size
  
  19KB
- MD5
  
  5898d001eedb60a637f9334965e241a9
- SHA1
  
  59d543084a8230ac387dee45b027c47282256d02
- SHA256
  
  08eb269d6c3bfaf4d3cde53a987e0adc96a171235d3c34e3c6e9422920e793dd
- SHA512
  
  d8be87bddd9f289597221d864370dfdd1ea94d2910837e211f34eec0fee56477672d98bd0565059389ff6d9ac79002f0ffa792feb84db02b18f432c6174e71e0
- SSDEEP
  
  384:iPX7p5YPHsFqA4EXFFqMWXxzxDzd6a2lmOa/dCfO:iDp5EsAMFoFXTNWNq/
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  0x000300000001acec-245.exe
- Size
  
  482KB
- MD5
  
  801a4e85faeb41919a0da6fa174ada04
- SHA1
  
  cf6a3be6cf3130a0d2a92ac9eec392e43029a06c
- SHA256
  
  23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd
- SHA512
  
  319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b
- SSDEEP
  
  6144:nrvOLnVDxQxwR+v9SBCRgNnXisfyZlguHu4CfN1LvCe+Ps/gXb0U/sXGCM:7OTV2Ci5OFLfyDgcu51F+Ps/kb0q
Score

10^/10

matanbuchus discovery loader
- Matanbuchus
  A loader sold as MaaS first seen in February 2021.
  loader matanbuchus
- Matanbuchus family
  matanbuchus
behavioral29 behavioral30
- Target
  
  0x000300000001aced-248.exe
- Size
  
  620KB
- MD5
  
  7f1c0fe70e588f3bead08b64910b455e
- SHA1
  
  b0d78d67ee8a703e2c5dff5f50b34c504a91cfee
- SHA256
  
  4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4
- SHA512
  
  e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84
- SSDEEP
  
  6144:LX1GLRsinbsICg9P078ralzUxCNhtlmvJG3fPh01/mMPtNmGlOuX3MR3t8/DPVQU:pGFs9ga1U0Nht6J/Dm4ZMRdUL24OFu
Score

7^/10

discovery
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral31 behavioral32